Signing Requests

Each requests must be signed accordingly to the OAuth specification. Ipernity supports HMAC_SHA1 and MD5 as signature method:

The HMAC-SHA1 signature method uses the HMAC-SHA1 signature algorithm as defined in [RFC2104] where the Signature Base String is the text and the key is the concatenated values (each first encoded per Parameter Encoding) of the Consumer Secret and Token Secret, separated by an '&' character (ASCII code 38) even if empty.

For signing with the MD5 method, the Consumer Secret and Token Secret (each first encoded per Parameter Encoding), separated by an '&' character (ASCII code 38) even if empty, MUST be added to the end of the Signature Base String.

Steps of authentication

OAuth Authentication is done in three steps:

The Consumer obtains an Request Token.

The User authorizes the Request Token.

The Consumer exchanges the Request Token for an Access Token.

1. Get a Request Token

Sends an HTTP request to the Request Token URL (http://www.ipernity.com/apps/oauth/request).
the HTTP method for this request can be HTTP HEAD, HTTP POST or HTTP GET.
The request MUST be signed and contains the following parameters:

oauth_consumer_key: The Consumer Key.

oauth_signature_method: The signature method the Consumer used to sign the request (MUST be HMAC_SHA1 or MD5).

oauth_signature: The signature.

oauth_timestamp: The timestamp.

oauth_nonce: the nonce.

oauth_version: OPTIONAL. If present, value MUST be 1.0 or 1.0a.

oauth_callback: OPTIONAL (can be provided in the next step). An absolute URL to which ipernity will redirect the User back when the User Authorization step is completed. The callback URL MAY include Consumer provided query parameters, ipernity retain them unmodified and append the OAuth parameters to the existing query.

2. Redirect the user to the authorization page

In order for the Consumer to be able to exchange the Request Token for an Access Token,
the Consumer MUST obtain approval from the User by directing the User to ipernity.
The Consumer constructs an HTTP GET request (not signed) to ipernity's User Authorization URL
(http://www.ipernity.com/apps/oauth/authorize)
with the following parameter:

oauth_token: The Request Token obtained in the previous step.

oauth_callback: OPTIONAL (can be provided in the previous step). An absolute URL to which ipernity will redirect the User back when the User Authorization step is completed. The callback URL MAY include Consumer provided query parameters, ipernity retain them unmodified and append the OAuth parameters to the existing query.

Please note that once authenticated, the consumer callback URL will be called with the request token (oauth_token=xxx) added to it.

3. Exchange the Request Token for an Access Token

To request an Access Token, the Consumer makes an HTTP request to ipernity’s Access Token URL
(http://www.ipernity.com/apps/oauth/access).
The HTTP method for this request can be HTTP HEAD, HTTP POST or HTTP GET.
The request MUST be signed and contains the following parameters:

oauth_consumer_key: The Consumer Key.

oauth_token: The Request Token obtained previously.

oauth_signature_method: The signature method the Consumer used to sign the request (MUST be HMAC_SHA1 or MD5).

Make an API call in authenticated mode

After successfully receiving the Access Token and Token Secret, the Consumer is able to access the Protected Resources on behalf of the User.
The HTTP method for this request can be HTTP POST or HTTP GET.
The request MUST be signed and contains the following parameters:

oauth_consumer_key: The Consumer Key.

oauth_token: The Access Token.

oauth_signature_method: The signature method the Consumer used to sign the request (MUST be HMAC_SHA1 or MD5).